HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Concern that Drug Company Use of Patient Data Circumvents HIPAA

Pharmaceutical companies are using patient PHI to market their products, even though they are not permitted to have access to this information under HIPAA regulations, according to a recent report on Bloomsberg News.

HIPAA covered entities are not permitted to disclose patient information to third parties for the purposes of marketing, yet pharmaceutical companies are obtaining the data from a different source. Drug companies are now seeking assistance from online data agencies that can provide them with the data they require to directly market products to the persons most likely to use their drugs.

Marketing data is invaluable to drug companies as it enables them to market their products more effectively. The market for a particular treatment may be very small in terms of penetration so using traditional advertising methods is unlikely to produce the required number of sales. However, if a drug company obtained a list of patients who had been diagnosed with a condition that their drug treats, the volume of sales from its direct marketing efforts would increase substantially. However under HIPAA, pharmaceutical companies are not given access to this data.

How the PHI of Patients is Obtained

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Internet companies track website visitors and assign them with a unique identification number. This number can then be used to link the patient to their medical condition. The patient is identified, but since no name has been provided there is no HIPAA breach. Pharmaceutical companies can obtain valuable data about patient’s illnesses and treatments and it can then use that information to provide them with targeted adverts.

Privacy groups are concerned that PHI is being provided for marketing purposes, yet the practice falls outside of HIPAA regulations which only cover healthcare organizations, pharmacies and their business associates.

The data collection technique is called matchback and it is used extensively in online marketing. In the case of healthcare data, data collection companies buy records from pharmacy benefit managers and run complex algorithms to match records with individuals. The transformed data is sold on to the drug companies with codes assigned, and this allows targeted adverts to be displayed to them. The vast majority of consumers who have visited a pharmacy are likely to have been assigned a code, and that code could be in use by pharmaceutical companies.

Consumers who notice they are being presented with adverts specific to medical conditions they suffer from are likely to be view in those adverts because of the information in their medical histories. However, search engines also track individual and present adverts based on previous searches.

In the case of internet searches for products, tracking individuals is perfectly reasonable marketing tactic. However, privacy groups are concerned about the level of medical information for that is sale on the internet and the practice is a violation of consumer’s right to privacy.

Pharmaceutical companies argue that the technique is necessary in order to recover money for drug development, especially when faced with the expiration of a patent. They use a company that creates a link between two data sets, but the individuals remain totally anonymous. They know you have a condition and what drugs you use, they just do not know you by name. Drug companies conducting marketing using this technique argue that the practice is perfectly legal and acceptable.

Not all pharmaceutical companies agree. GlaxoSmithkline for example has stopped all matchback activity due to concerns over patient privacy. On the other hand, AstraZeneca has no such issue with the technique and uses it for all of its digital marketing.

The Office for Civil Rights polices HIPAA, but when contacted by Bloomberg, it declined to comment as it was not familiar with the practice or matchback. Matchback may not breach HIPAA or disclose sensitive information; however it is marketing tactic that consumers should be made aware of, although currently patients are not given the opportunity to opt out.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.